CVE-2022-23227 Overview
CVE-2022-23227 is a critical authentication bypass vulnerability affecting NUUO NVRmini2 network video recorder devices through firmware version 3.11. This flaw allows unauthenticated remote attackers to upload encrypted TAR archives to the device, enabling the creation of arbitrary user accounts due to missing authentication checks in handle_import_user.php. When chained with CVE-2011-5325 (a path traversal vulnerability in BusyBox), attackers can overwrite arbitrary files under the web root and achieve remote code execution with root privileges.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated attackers can achieve complete device compromise with root-level access, potentially compromising surveillance infrastructure and pivoting to internal networks.
Affected Products
- NUUO NVRmini2 Firmware through version 3.11
- NUUO NVRmini2 Hardware devices
Discovery Timeline
- 2022-01-14 - CVE-2022-23227 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2022-23227
Vulnerability Analysis
This vulnerability stems from a complete absence of authentication controls in the handle_import_user.php endpoint on NUUO NVRmini2 devices. The affected endpoint is designed to handle user import functionality via encrypted TAR archives but fails to verify whether the requesting party is authenticated before processing uploads.
The vulnerability exploits the user import functionality which accepts encrypted TAR archives. An attacker can craft a malicious TAR archive containing user configuration data that, when processed by the vulnerable endpoint, results in the creation of attacker-controlled user accounts on the device. This alone grants unauthorized access to the surveillance system.
However, the severity is significantly amplified when combined with CVE-2011-5325, a long-standing path traversal vulnerability in BusyBox's TAR implementation. By including path traversal sequences within the TAR archive (such as ../ directory traversals), attackers can escape the intended extraction directory and overwrite arbitrary files under the web root. This capability enables the deployment of web shells or malicious scripts that execute with root privileges, resulting in complete device compromise.
Root Cause
The root cause of CVE-2022-23227 is CWE-306: Missing Authentication for Critical Function. The handle_import_user.php script processes sensitive user import operations without implementing any authentication or session validation. This allows any network-accessible attacker to invoke the functionality and upload malicious archives without credentials.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no authentication and no user interaction. An attacker with network access to the NUUO NVRmini2 web interface can directly target the vulnerable endpoint.
The exploitation workflow typically follows this pattern: First, the attacker crafts an encrypted TAR archive containing malicious user data or path traversal payloads. The archive is then uploaded to the handle_import_user.php endpoint via an HTTP POST request. The device processes the archive without authentication checks, extracting its contents. If path traversal sequences are included (exploiting CVE-2011-5325), files can be written to arbitrary locations within the web root. Finally, the attacker can access any deployed web shells to execute commands as root.
A Metasploit module has been developed for this vulnerability, indicating its reliability and ease of exploitation. For technical details, see the GitHub PoC Advisory and the Metasploit Pull Request.
Detection Methods for CVE-2022-23227
Indicators of Compromise
- Unexpected HTTP POST requests to /handle_import_user.php from external or unusual IP addresses
- New user accounts appearing on NVRmini2 devices that were not created by administrators
- Web shell files or unfamiliar PHP scripts appearing in the device web root directory
- Outbound connections from NVRmini2 devices to unknown external hosts
- System log entries showing user import operations without corresponding administrative activity
Detection Strategies
- Monitor web server logs for access to handle_import_user.php especially from unauthenticated sessions
- Implement network intrusion detection rules to identify TAR archive uploads to NUUO devices
- Deploy file integrity monitoring on NVRmini2 web directories to detect unauthorized file creation
- Review user account lists on affected devices for unauthorized or suspicious accounts
Monitoring Recommendations
- Isolate NUUO NVRmini2 devices on dedicated network segments with restricted access
- Implement egress filtering to detect and block unauthorized outbound connections from surveillance devices
- Enable verbose logging on affected devices and forward logs to a centralized SIEM platform
- Conduct regular audits of user accounts and file system integrity on all NVR devices
How to Mitigate CVE-2022-23227
Immediate Actions Required
- Restrict network access to NUUO NVRmini2 devices using firewall rules, limiting access to trusted management hosts only
- Audit existing user accounts on all NVRmini2 devices and remove any unauthorized accounts
- Review device file systems for signs of compromise including web shells or modified files
- Consider taking vulnerable devices offline if they are internet-exposed and no mitigations are available
- Monitor the CISA KEV Catalog for updated guidance
Patch Information
At the time of this writing, no vendor patch or advisory has been identified in the available CVE data. Organizations should contact NUUO directly to inquire about firmware updates that address this vulnerability. Given the critical nature of this flaw and its active exploitation status, upgrading to patched firmware should be treated as a high priority.
Workarounds
- Place NUUO NVRmini2 devices behind a VPN or reverse proxy that enforces authentication before access
- Block direct internet access to NVRmini2 devices and restrict access to internal management networks only
- Implement web application firewall (WAF) rules to block requests to handle_import_user.php from untrusted sources
- Consider deploying alternative NVR solutions if vendor remediation is not forthcoming
# Example firewall rule to restrict access to NVRmini2 management interface
# Allow only trusted management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
